When a CAC, Common Access Card, is used, you can set the portal to allow access without the client CAC user entering a user name and password.
Note: Part of the procedure for setting up CAC authentication involves enabling FIPS for additional security. Enabling FIPS has an overhead that can adversely impact performance.
To set up CAC authentication requires using CAC certificates and configuring the portal servers with these certificates as well as enabling FIPS for the portal. Afterwards, CAC can be set as the single-signon method in the portal user interface.
To configure the portal servers for CAC authentication:
Log in to the CTERA Portal master DB server as root, using SSH.
Copy the root certificate file associated with the CAC certificate and any intermediate certificates in the chain to the /root/ path of the Master DB Server.
Create the truststore.
In the Master DB Server and enter the following commands: . $bindir/ctera-common.sh ; export _JAVA_OPTIONS
Move to the /usr/local/ctera/apache-tomcat/webapps/ directory and run the following keytool commands for the CAC certificate file and any intermediate certificates in the chain. For example, for a CAC certificate file named RootCA1.cer and an intermediate certificate named IntermediateCA1.cer, run the following two commands, changing the jdk1.8.0_201 value to the JDK on the server (use the command ls -d /usr/local/ctera/jdk*/bin to find the current JDK bin directory):
/usr/local/ctera/jdk1.8.0_201/bin/keytool -import -keystore truststore -file /root/RootCA1.cer -alias rootca1 -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
/usr/local/ctera/jdk1.8.0_201/bin/keytool -import -keystore truststore -file /root/IntermediateCA1.cer -alias intermediateca1 -trustcacerts -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
Note: The alias name of each certificate in the keytool command must be unique.
Convert the truststore format to BCFKS format by running the following command, changing the jdk value to the JDK on the server:
keytool -importkeystore -srckeystore /usr/local/ctera/apache-tomcat/webapps/truststore -srcstoretype JKS -destkeystore /usr/local/ctera/apache-tomcat/webapps/truststore.bcfks -deststoretype BCFKS -srcprovidername "SUN" -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath /usr/local/ctera/jdk1.8.0_201/jre/lib/ext/SafeLogic_CTERA.jar -srcstorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg) -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
You can display the entries in the new BCFKS keystore with the following command:
keytool -list -v -keystore truststore.bcfks -storetype BCFKS -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
The password is the SERVER_KEY, which is extracted automatically from /etc/ctera/portal.cfg and used in the following part of above command $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg).
Copy the truststore.bcfks file to the same path of the Replication DB server and all the portal servers, such as the application and preview servers. For example, using SCP, run the following command:
scp truststore.bcfks root@portal_ip_address:/usr/local/ctera/apache-tomcat/webapps
Enable FIPS by running the following in the command line: set /settings/javaSecurityProviderMode FIPS
Note: You can also set FIPS using the CLI command from within the portal user interface, as described in Execute CLI Commands from the Global Admin User Interface
Restart the portal servers.
To configure CAC single sign-on in the portal user interface:
- In the global administration view, select Settings in the navigation pane.
- Select SSO under USERS in the Control Panel page.
The Single Sign On window is displayed.
- Select Smart Card / Client certificates from the dropdown box.
The Single Sign On window is redisplayed for CAC authentication.
- Uncheck OCSP Revocation Checking, unless an OCSP server is being used for certificate revocation and it returns an answer.
- Click SAVE.
The portal servers are restarted.
Users log on to their systems using CAC.